Docker-compose 服务/容器之间互访失败

问题

同网络内，容器间能ping 但访问监听端口时，提示'No route to host'

复现步骤

通过 docker-compose 启动多个服务容器， 并且服务都在同一个网络内

sh-4.2# ping 172.20.0.2
PING 172.20.0.2 (172.20.0.2) 56(84) bytes of data.
64 bytes from 172.20.0.2: icmp_seq=1 ttl=64 time=0.152 ms
64 bytes from 172.20.0.2: icmp_seq=2 ttl=64 time=0.081 ms

sh-4.2# curl -vvv  http://172.20.0.2:8080
* About to connect() to 172.20.0.2 port 8080 (#0)
*   Trying 172.20.0.2...
* No route to host
* Failed connect to core:8080; No route to host
* Closing connection 0
curl: (7) Failed connect to core:8080; No route to host

解决

这是一个docker/firewalld的已知bug， 通过执行以下命令解决

firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=172.17.0.0/16 accept' && firewall-cmd --reload